This article describes Virtual Router Redundancy Protocol (VRRP) service and DNS service between FortiGate and FortiExtender.
After integration between FortiGate and FortiExtender, VRRP service enables Internet service continuance, either network service fails on FortiGate, which automatically triggers the network service on FortiExtender or network service fails on FortiExtender, which automatically triggers the network service on FortiGate.
While VRRP is on service between FortiGate and FortiExtender, DNS service is also automatically enabled when FortiGate is on Primary state or FortiExtender is on Master mode.
FortiGate and FortiExtender integration with VRRP service and DNS service.
1) On FortiExtender, configure interface for data channel to prepare integration with FortiGate.
On the interface, also enable VRRP with vrrp ip address and its parameters, example as the below snapshot (disable or remove DHCP service, since not allow to enable VRRP and DHCP service on one same interface)
2) On FortiExtender, configure Control Channel to prepare integration with FortiGate. Example to use port4 to set up Control Channel with FortiGate.
3) On FortiExtender, go to Settings - > Management to configure the following parameter:
management type as auto or FortiGate.
Discovery Type as static or broadcast.
Discovery Interface requires the interface of Control Channel interface; In this scenario, the interface is port4 with its ip address as 192.168.4.1.
4) On FortiExtender, go to Setting - > Management to configure FortiGate Backup, as the below snapshot:
enable VRRP for the interface, in this scenario it is LAN interface.
5) On FortiGate, configure Data Channel for the interface, which requires the same subnet on FortiExtender Data Channel interface.
Example in this scenario, using port1 on FortiGate as Data Channel, which aligns to the LAN interface on FortiExtender.
6) On FortiGate, to configure Control Channel which aligns to the Control Channel interface on FortiExtender.
In this scenario, port 2 is configured as Control Channel.
7) On FortiGate, Create on FortiExtender WAN Extension.
8) Choose the FortiExtender WAN interface to connect FortiExtender.
9) On FortiGate, configure VRRP service for the interface; In this scenario, it is port 1
VRRP ip address must be the same as the VRRP ip address on FortiExtender VRRP interface.
10) On FortiGate, Configure DNS service for the VRRP interface. In this scenario, it is port1.
11) On FortiExtender, Configure DNS service for the VRRP interface. In this scenario, it is LAN interface.
12) On Client, configure DNS service; The DNS server must be the IP address of VRRP service. In this scenario, the DNS IP must be: 192.168.200.100.
13) When FortiGate VRRP interface is up, check VRRP status on FortiGate
In this scenario, make FortiGate port1 is up; Check VRRP status
14) On Client, ping website to get DNS service from FortiGate
15) On FortiGate, turn down VRRP interface; or Reboot FortiGate to disconnect network service from FortiGate.
On FortiGate, check VRRP status:
On FortiExtender, check VRRP status:
16) On Client, ping website, and can get network service and DNS service from FortiExtender:
Using one domain, which is in FortiExtender DNS shadow or public database, which indicates DNS on FortiExtender is serving the client:
17) Turn up the FortiGate port 1 interface, following the step 16:
18) On Client, lookup the domain name which is in FortiExtender DNS database. DNS returns no naming resolution since FortiExtender is on backup state but FortiGate is taking DNS service.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2023 Fortinet, Inc. All Rights Reserved.